What does "wsse:InvalidSecurity" mean? - web-services

An error was discovered processing the <wsse:Security> header
This is a WS-Security question btw...
I can't see anything wrong with my WS endpoint (apart from the fact that it's running in a TIBCO BW engine!). Does someone have any 'prior' with this kind of error? I realise that the WS-Security Header could be broken anywhere presumably to get this error but, there's GOT to be a 90% percentile on some kind of common error.
Here's the secured SOAP - the client is standalone java (WSS4J 1.5.0) performing signing only at this stage.
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-20237898">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-18414151">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>DvjhvAtEVxwntL/RjMCNhId57cg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
YbOB3FRduCr5rutpIvch9sDZfZToy3pjm+Kyl/Oqz6cAPqMVKqvKBb4P7ebnzP/3SVjm+PfLqlE5
BGgcT3Vz93apyg+eY1rAIYUs7K1Zt9F5ejMmij6HQpQTGpyM9BUXJi1x5bt9GuMtD0SK939bIIE2
ZUyZ0jPJp/wUhMonskw=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-15734641">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-3852606">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Mark Hesketh,OU=asdf,O=DVA,L=Canberra,ST=ACT,C=AU</ds:X509IssuerName>
<ds:X509SerialNumber>1231310305</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="id-18414151">
<message xmlns="http://www.tibco.com/schemas/CertificateWork/Resources/Schema.xsd" text="Sample msg with SHA1 signature"/>
</soapenv:Body>
</soapenv:Envelope>

Wow... if you're still having this problem, you have more patience than I... but just in case, here's my thoughts:
http://schemas.xmlsoap.org/specs/ws-security/ws-security.htm#ws-security__toc6201567 - suggests that this is a problem reading the tag.
One thing that sticks out to me is that I don't see a reference connecting the signature to the key info. Certainly, I would assume that the KeyInfo element is describing the certificate that used a private key to make the SignatureValue, but I don't see a peice of the XML that is telling the software that. I don't think including the KeyInfo is enough, there may have to be a link to it.
If not that, I'd double check this against the schema, and maybe an independant schema verifying source. An error at the header level makes me think format rather than content.
That's my first guess at this one, and it's just a guess without getting hands on with your system and trying a bunch of different things. If that doesn't work, this my general logical chain for this type of error:
Format - the XML correct according to the schema?
Signature - the signature needs three things: data, a key, a set of algorithms for making it. Check all three - is the data correct, is the key correct, are the algorithms appropriate for the key and for how the message will be handled? Also, are the key and data items referenced properly and being found by your library?
External sources of info - in this case, your key info references a certificate that presumably is pulled from somewhere else - like an LDAP cert store. So.. can your code get to that external source, is the source of data running and network accessible from where you are running the code? etc.
If PKI -- Certificate Validation/Trust - what does the system have to do behind the scenes to trust the signer? OCSP checks? Lookup in LDAP? Chain to trusted root? etc. Is the trust algorithm working properly and does it have everything it needs - ie, access to OCSP responder, properly configured certificate store, etc.
I reorder these steps based upon my guess on what the error means. The errors are not so intuitive -- so I often go through all these steps just in case my interpretation of the error is wrong. Besides, I may then prevent a problem later...

Check your SOAPAction in the Header. The value in the WSDL must be the same as in the call. A wrong value can cause an InvalidSecurity error.
In Java you can get the message as text with
soapMessage.getSOAPPart().getEnvelope();
Here you can check the values and settings.

Related

Veins: How to verify if rerouting is using user set algorithm

I'm using veins 4.6 and trying to evaluate the change in emissions due to different routing protocols. By exploring SUMO site I have managed to set base for the experiment. For now I'm using veins demo application with minor configurations changes. Here is content of my erlangen.sumo.cfg file:
<?xml version="1.0" encoding="iso-8859-1"?>
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://sumo.sf.net/xsd/sumoConfiguration.xsd">
<input>
<net-file value="erlangen.net.xml"/>
<route-files value="erlangen.rou.xml"/>
<additional-files value="erlangen.poly.xml"/>
</input>
<time>
<begin value="0"/>
<end value="400"/>
<step-length value="1"/>
</time>
<routing>
<routing-algorithm value="CHWrapper"/>
<device.rerouting.probability value="1"/>
</routing>
<emissions>
<device.emissions.probability value="1"/>
</emissions>
<report>
<no-step-log value="true"/>
</report>
<gui_only>
<start value="true"/>
</gui_only>
<output>
<fcd-output value="erlangen.fcd.xml"/>
<emission-output value="erlangen.emission.xml"/>
<tripinfo-output value="erlangen.trip_info.xml"/>
<vehroute-output value="erlangen.route_followed.xml"/>
<summary value="erlangen.summary.xml" />
</output>
</configuration>
Routes file (erlangen.rou.xml) content is as follows:
<routes xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://sumo.dlr.de/xsd/routes_file.xsd">
<vType id="passenger" vClass="passenger" accel="2.6" decel="4.5" sigma="0.5" length="2.5" minGap="2.5"
maxSpeed="120" guiShape="passenger/sedan" color="1,0,0" emissionClass="HBEFA3/LDV_G_EU4">
<param key="has.emission.device" value="true"/>
<param key="has.rerouting.device" value="true"/>
<param key="device.fcd.probability" value="1"/>
</vType>
<flow id="flow0" type="passenger" from="3013106#1" to="29900564#1" begin="0" period="3" number="30" />
erlangen.net.xml is unchanged and in omnetpp.ini I have changed *.connectionManager.maxInterfDist from 2600m to 100m only.
Using these configurations I have ran the simulation using A* and CHWrapper algorithm but output of both is ditto copy. In below image it is visible that node 25 - 29 followed a different path after rerouting, but these are same in both cases.
Tripinfo results are given below, as discussed here "tripinfo_rerouteNo" clearly shows that nodes have been rerouted.
Now following is revolving in my mind:
Are routing algorithms applied successfully (set in erlangen.sumo.cfg) or in both cases default Dijkstra was used?
Routing algorithms applied successfully but results are same because network was not congested enough / don't have enough alternate paths to follow. So I should have change network, with multiple accident count etc.
I'm not getting how rerouting is working here.
I'm stuck here, any directions will be highly appreciated.
It is not easy to say from the outside which routing algorithm has been applied, but I would assume 2. is the correct solution. The different algorithms are basically different in the way they can handle dynamic changes to the edge weight vs. the calculation speed but in most cases they should give the same result. You might wish to try the scale option to increase traffic easily or set device.rerouting.period to a value like 10 (seconds) to enable periodic rerouting of the vehicles to see more effects. Also setting weights.random-factor to a large value can help.
One can verify using a sample network like following:
In my test case I set starting position of vehicles as left most edge bottom lane and destination was upper lane of same edge. No uTurn was implemented therefore vehicles had to pass through junction, and FCD for every algorithm was significantly different.

Sage 300 (accpac) SDATA: Create Order

I'm attempting to use the Sage SDATA Rest Service to create an order. So far I can't seem to find what components make up an order in oeorders. Here's the Endpoint that I'm trying to hit:
[POST] http://{company}/SDataServlet/sdata/sageERP/accpac/{org}/oeorders/
So, how do I figure out what elements are required in my payload?
Figured out what was going wrong. You have to use POST when shipping a new order, not PUT. The most minimal payload seems to be the following:
<entry xmlns:sdata="http://schemas.sage.com/sdata/2008/1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.w3.org/2005/Atom">
<sdata:payload>
<oeorder xmlns="http://schemas.sage.com/sageERP">
<TERMS></TERMS>
<CUSTOMER></CUSTOMER>
</oeorder>
</sdata:payload>
</entry>

Exchange Web Services - cannot get additional properties when calling "FindPeople" method

I'm making raw SOAP requests to Office365 and trying to get a list of contacts for specified AddressListId I successfully get a list of contacts, but it does not include all additional information I need. Once I add some additional properties (e.g. PhoneNumber) to my request, the server returns Invalid shape error.
Here is my request:
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages">
<soap:Header>
<t:RequestServerVersion Version="Exchange2013" />
</soap:Header>
<soap:Body >
<m:FindPeople>
<m:PersonaShape>
<t:BaseShape>IdOnly</t:BaseShape>
<t:AdditionalProperties>
<t:FieldURI FieldURI="persona:DisplayName"/>
<t:FieldURI FieldURI="persona:PhoneNumber"/>
</t:AdditionalProperties>
</m:PersonaShape>
<m:IndexedPageItemView BasePoint="Beginning" MaxEntriesReturned="100" Offset="0"/>
<m:ParentFolderId>
<t:AddressListId Id="###-####-####-####"/>
</m:ParentFolderId>
</m:FindPeople>
</soap:Body>
</soap:Envelope>
How can I get all additional information for each persona?
I am using EWS Managed API, so you will have to search for the raw SOAP calls on MSDN, I can only direct your search a bit:
I had a similar problem, because the very same is applicable for FindAppointments(). Asking for AppointmentSchema.RequiredAttendees will raise the Invalid Shape error, and AppointmentSchema.Organizer won't contain the email address, only the name of the organizer, after using FindAppointments().
The solution was to do TWO requests to Exchange Server.
var appointments = calendarFolder.FindAppointments(BasePropertySet.FirstClassProperties);
exchangeService.LoadPropertiesForItems(appointments, MyAdvancedProperties);
I think that the same "workaround" is possible with FindPeople(), as well as every other Find%Itemtype%() EWS may support, I am not sure, though.
EDIT: I just found http://social.technet.microsoft.com/Forums/exchange/en-US/e83abfb1-37a8-48fe-9579-4e120fb77746/ews-managed-api-loadpropertiesforitems-returns-unexpected-end-of-xml-document?forum=exchangesvrdevelopment where it is stated that LoadPropertiesForItems does a call to raw soap GetItem with multiple ItemIDs.

How to specify both jaxws and jaxb bindings to achieve #XmlRootElement

I've inherited a project that communicates with a SOAP-based web service. I'm a total noob at this, although have been doing Java for many years and have done a good bit with XML.
We have a WSDL file for the service, which contains the schema at the top and all the message definition stuff below. At the core of the problem, when I try to connect to the service through our code, I get the dreaded unable to marshal type "https.api_blah_com.services.v4.Product" as an element because it is missing an #XmlRootElement annotation]
My project already has a jaxws binding file:
<jaxws:bindings wsdlLocation="../resources/wsdl/BlahAPI.wsdl"
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws" xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:jxb="http://java.sun.com/xml/ns/jaxb"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
<jaxws:enableWrapperStyle>false</jaxws:enableWrapperStyle>
<jaxws:bindings
node="wsdl:definitions/wsdl:types/xs:schema[#targetNamespace='https:api.blah.com/services/v4']">
<jxb:globalBindings xmlns:jxb="http://java.sun.com/xml/ns/jaxb" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xjc:generateElementProperty>true</xjc:generateElementProperty>
</jxb:globalBindings>`
</jaxws:bindings>
</jaxws:bindings>
Now I've read that in order to get all my Java classes generated with #XmlRootElement, I need to add a jaxb:globalBinding turning on simple mode.
I've tried adding to my local copy of the WSDL this:
<xs:annotation>
<xs:appinfo>
<jaxb:globalBindings>
<xjc:simple />
</jaxb:globalBindings>
</xs:appinfo>
</xs:annotation>
But the JAXB compiler complains that it cannot honor this globalBindings customization because it's attached to a wrong place or is inconsistent with other bindings.
So I tried adding another bindings file, just for jaxb, like so:
<?xml version="1.0" encoding="UTF-8"?>
<jaxb:bindings version="1.0" xmlns:jaxb="http://java.sun.com/xml/ns/jaxb"
xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<jaxb:bindings schemaLocation="../resources/wsdl/blah.wsdl">
<jaxb:globalBindings>
<xjc:simple />
</jaxb:globalBindings>
</jaxb:bindings>
</jaxb:bindings>
But then I get an error that blah.wsdl is not part of this compilation.
I am so close to calling this service...I just cannot get past this one thing, and it's all new to me so I'm not sure what else to try.
I could split out their WSDL into an XSD and a WSDL? Is that required to make this work?
I think you have to bind the xsd file not wsdl at this location. <jaxb:bindings schemaLocation="../resources/wsdl/blah.wsdl">. Please refer to section "External Binding Customization Files" at link.
Not sure if JAXB Binding is configured correctly. The #XmlRootElement required if class forms the root of your element structure. However in SOAP, SOAP element would form root of the XML, Hence check if your ObjectFacory.java class is generated, if generated verify if a method is created for the class type which returns an instance of the class type for example you have class Foo an method `public Foo createFoo() which returns instance of Foo should be present in your ObjectFoacory.java
However I would suggest you to use CXF provided WSDL2java this with client option enabled. It takes few minutes to configure a client code

Array of element in WSDL File

Hello I'm developping some web services in java, so I have created a wsdl file to describe this services.
With my wsdl I create the web services (servcer side). but I can't create the client side because
I think the problem is
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:bil="http://tempuri.org/Services/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soapenv:Header/>
<soapenv:Body>
<bil:ArrayOfElement soapenc:arrayType="?" soapenc:offset="?" id="?" href="?">
<!--1 or more repetitions:-->
<Element>
<code>?</code>
<codeElement>?</codeElement>
<TypeService>?</TypeService>
</Element>
</bil:ArrayOfElement>
</soapenv:Body>
</soapenv:Envelope>
In fact, I don't know what we must put in this line:
<bil:ArrayOfElement soapenc:arrayType="?" soapenc:offset="?" id="?" href="?">
And for my tests I send this enveloppe and it works (but like you see it's another wsdl):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:bil="http://tempuri.org/Services/">
<soapenv:Header/>
<soapenv:Body>
<bil:ArrayOfElement>
<Element>
<code>exmepleCode</code>
<codeElement>exmempleCodeElement</codeElement>
<TypeService>a_Service_Type</TypeService>
</Element>
</bil:ArrayOfElement>
<!-- other elements-->
</soapenv:Body>
</soapenv:Envelope>
How did you create the WSDL?
one important issue when working with web services, or xml schemas (xsd) in general, is that there's no simple one to one mapping between xsd and language specific types (java in this case).
one of the implication is when doing a 'round trip' mapping (java to xsd, and then xsd to java) you don't get always what you started with - especially when using non simple types such as arrays or other containers.
The solution in this case is to create a "correct" xsd schema, and derive the javadefinitions for the client and the server from this schema - only a single xsd to java transformation is done, so no issues of rount trip mapping are encountered.
To create such a xsd, you should use the native methods of defining collections in xsd, which is basically adding minOccurs and maxOccurs attributes to the basic element.
you can find more detailed reference here
Note that you don't have to use hand crafted xsd - you can also use any xsd editor (most modern IDE's have one) to get the same results.